The 2010 Pwnie Winner For Best Client-Side Bug

Java Trusted Method Chaining (CVE-2010-0840)

Credit: Sami Koivu

This¬†exploit¬†basically breaks the whole Java security model. It’s more a demonstration of a new bug class than just one vulnerability. Apple patches Java three months after every new exploit comes out, and none of the IDS/AV companies could figure out how to write this exploit, so there was really no defence for quitea long time. Custom Java compilers doing complex, cross platform, 100% reliable exploits For The Win!.